Privacy Policy U.S.

1) PRIVACY POLICY — U.S.

Privacy Notice (U.S. Version)

Capitalio Ltd (“Capitalio”, “we”, “our”, “us”) is a private company limited by shares, incorporated in England & Wales (company number 16311642), with its registered office at 71-75 Shelton Street, Covent Garden, London WC2H 9JQ, United Kingdom.

This Privacy Notice explains how Capitalio collects, uses, discloses, and protects personal information when you visit our website, contact us, subscribe to our updates, or engage us in connection with Italian real estate opportunities and related advisory or coordination services.

If you do not wish to provide certain information, you may still browse parts of the website, but we may be unable to respond fully to enquiries or provide services where information is necessary.

1. Who we are and how to contact us

Capitalio Ltd
71-75 Shelton Street, Covent Garden, London WC2H 9JQ, United Kingdom
Email: legal@capitaliousa.com

2. Personal information we collect

Depending on how you interact with us, we may collect the following categories of personal information:

• Identifiers and contact information, such as your name, email address, telephone number, postal address, and messaging details.
• Professional information, such as employer, role, or introducer details where relevant.
• Transaction and service information, such as property search criteria, budget, preferences, viewing notes, financing preferences, communications, and related documents.
• Compliance information, including AML/KYC documentation and related screening information, such as passport or ID details, proof of address, proof of funds, source-of-funds or source-of-wealth information, and sanctions/fraud screening results where required.
• Internet or other electronic network activity information, such as IP address, browser type and version, device identifiers, referring pages, time zone, and information about how you use the website.
• Marketing and communications preferences, including newsletter subscriptions and event preferences.
• Sensitive information only where necessary and lawful, for example when required for compliance, identity verification, or transaction support. We do not intentionally request sensitive personal information unless it is reasonably necessary for our services, compliance obligations, or you voluntarily provide it.

3. Sources of personal information

We may collect personal information:

• directly from you, including through forms, email, telephone, messaging apps, video calls, events, and other correspondence;
• from professional advisers and counterparties, such as Italian real estate agents, brokers, lawyers, notaries, accountants, architects, surveyors, or mortgage providers, where you ask us to coordinate with them;
• from verification and screening providers, public records, and publicly available sources where lawful; and
• automatically through cookies, analytics tools, and similar technologies when you use the website.

4. How we use personal information

We may use personal information for the following purposes:

• to operate, maintain, monitor, and secure the website;
• to respond to enquiries and communicate with you;
to provide our services and manage our relationship with you;
• to coordinate with agents, lawyers, notaries, banks, brokers, surveyors, accountants, and other professionals involved in your matter;
• to conduct identity verification, AML/KYC, sanctions, fraud, and related compliance checks where required;
• to administer introducer and referral relationships;
• to send newsletters, updates, invitations, and other marketing communications, subject to applicable law and your choices;
• to analyze website usage and improve the website, our marketing, and our services;
• to protect our rights, investigate misuse, enforce agreements, and comply with legal obligations; and
• to support corporate transactions, financing, insurance, audits, or professional advice relating to our business.

5. How we disclose personal information

We may disclose personal information to:

• Italian estate agents, sellers’ representatives, and brokers for sourcing opportunities, arranging viewings, and progressing transactions;
• professional advisers, including lawyers, notaries, accountants, surveyors, architects, tax advisers, and mortgage or financing providers where you ask us to coordinate;
• service providers that support our operations, such as cloud hosting, CRM, analytics, email, document management, communications, payment processing, and security providers;
• compliance and verification providers, including AML/KYC, sanctions, fraud-prevention, and identity-verification providers;
• regulators, law enforcement, courts, or public authorities where required by law or where necessary to protect rights; and
• actual or prospective purchasers, investors, lenders, insurers, or professional advisers involved in a corporate transaction affecting our business.

We do not sell personal information for money.

We may use analytics, cookies, and similar technologies on the website. If you deploy advertising or retargeting technologies, you should ensure your cookie and privacy disclosures accurately reflect that setup.

6. Cookies and similar technologies

We may use cookies, pixels, tags, session replay tools, and similar technologies to:

• enable core website functionality;
• remember preferences;
• measure traffic and performance;
• improve content and user experience; and
• support lawful marketing and analytics activities.

Where required by law, we will request consent for non-essential cookies or similar technologies. You can also manage cookies through your browser settings and, where available, our on-site cookie tools.

7. International transfers

Capitalio is based in the United Kingdom and works on matters involving Italy and other jurisdictions. Your personal information may therefore be accessed, stored, processed, or transferred outside the U.S., including in the United Kingdom, Italy, and other countries where our service providers or counterparties operate.

Where appropriate, we take reasonable steps to protect personal information in connection with international transfers.

8. Retention

We retain personal information for as long as reasonably necessary for the purposes described in this Notice, including to provide services, comply with legal and compliance obligations, resolve disputes, enforce agreements, and defend claims.

As a general rule, we retain client and transaction records for six (6) years after the end of the relationship, or longer where required by law, compliance obligations, insurance requirements, litigation holds, or legitimate business needs.

9. Security

We use technical, administrative, and organizational safeguards designed to protect personal information, including access controls, role-based permissions, multi-factor authentication where appropriate, encryption in transit where supported, confidentiality obligations, and service-provider controls.

No method of transmission over the internet or electronic storage is completely secure, but we take reasonable steps to reduce risk and respond appropriately to suspected incidents.

10. U.S. state privacy rights (where applicable)

Residents of certain U.S. states may have privacy rights under applicable state law, which may include the right to:

• confirm whether we process their personal information;
• access personal information;
• correct inaccurate personal information;
• delete personal information, subject to exceptions;
• obtain a portable copy of certain personal information;
• opt out of certain forms of targeted advertising, sale, or profiling in furtherance of decisions that produce legal or similarly significant effects, where applicable; and
• appeal a denial of a privacy-rights request, where applicable.

Because U.S. privacy laws vary by state and may apply only if statutory thresholds are met, we will review and process requests in accordance with applicable law.

To submit a privacy request, contact: legal@capitaliousa.com

We may need to verify your identity before processing your request. We may also request additional information necessary to confirm the request and locate the relevant information.

11. California notice

If you are a California resident and the California Consumer Privacy Act, as amended, applies to our processing, you may have rights including the right to know, correct, delete, and access your personal information, the right to opt out of the sale or sharing of personal information where applicable, the right to limit the use and disclosure of sensitive personal information where applicable, and the right not to be discriminated against for exercising your rights.

We do not sell personal information for monetary consideration.

California residents may submit privacy requests by contacting: legal@capitaliousa.com

If you authorize an agent to make a request on your behalf, we may require proof of that authorization and may also verify your identity directly with you.

12. Marketing choices

You may opt out of marketing emails by using the unsubscribe link in the message or by contacting us at legal@capitaliousa.com.

Even if you opt out of marketing, we may still send service-related or administrative communications where necessary.

13. Children’s privacy

Our website and services are not directed to children under 13, and we do not knowingly collect personal information directly from children under 13 through the website.

14. Automated tools

We may use automated tools in connection with AML/KYC, sanctions, fraud, and compliance screening. We do not use automated tools to make final decisions about you where prohibited by applicable law.

15. Changes to this Notice

We may update this Privacy Notice from time to time. The latest version will be posted on the website with the updated effective date.

16. Contact

Questions about this Privacy Notice may be directed to: legal@capitaliousa.com

Data Protection & Information Security Policy (U.S. Website Version)

Status: This document is a high-level summary of Capitalio’s internal privacy and information-security controls. It is published for transparency and does not form part of any contract with website visitors or clients except to the extent required by applicable law.

1. Purpose

This Policy summarizes the organizational and technical measures Capitalio uses to protect personal data, confidential information, and business information, and to reduce risks arising from unauthorized access, loss, misuse, alteration, or disclosure.

2. Scope

This Policy applies to Capitalio directors, officers, employees, contractors, consultants, and agency staff who access Capitalio systems or information, and to information processed by or on behalf of Capitalio.

3. Governance

Capitalio maintains governance and oversight for privacy and security, including role-based accountability, incident coordination, supplier controls, and periodic review of higher-risk processing activities.

4. Key controls

Capitalio applies a risk-based approach and maintains safeguards including:

• role-based access controls and least-privilege permissions;
• multi-factor authentication where appropriate;
• secure onboarding and offboarding procedures;
• restricted access to sensitive identity and funds documentation;
• encryption in transit where supported;
• encryption at rest for supported devices and storage environments;
• patching, monitoring, logging, and vulnerability management proportionate to the systems used;
• backups and resilience measures for critical systems;
• confidentiality obligations for personnel; and
• periodic privacy and security training.

5. Data lifecycle controls

Capitalio aims to collect and use personal information only for defined and reasonably necessary purposes, retain it in accordance with documented needs and legal obligations, and delete or anonymize it when no longer required.

6. Incident response

Capitalio maintains procedures for identifying, investigating, containing, remediating, and documenting suspected security incidents and personal-data breaches, including escalation to appropriate internal decision-makers and external providers where needed.

7. Service providers and contractors

Service providers and contractors with access to Capitalio information are expected, as appropriate, to:

• use approved systems and follow documented security requirements;
• keep information confidential;
• restrict access to authorized personnel;
• notify Capitalio promptly of suspected incidents affecting Capitalio data; and
• return or securely delete Capitalio data when required.

8. Review and updates

This Policy is reviewed periodically and may be updated when there is a material change in systems, risks, or business activities.

9. Contact

Questions about this Policy may be directed to legal@capitaliousa.com